Sophos Auto Update Service is missing

I have a machine that went bad after last week's client update. We tried removing sophos, couldn't remove it. Ran the uninstall script found here:

https://community.sophos.com/kb/en-us/122126

 

BTW the sophos clean refererence is wrong, it should be under the x86 folder. The article may be referring to a 32 bit machine... whoever has those anymore.

Removed folders and files and registry keys. Removed the machine from the cloud control panel and tried to reinstall. Took about 20 minutes before it stated that installation failed. It actually installed but the Auto Update service is missing.

This link of course ... didn't help.

community.sophos.com/.../125462 Service is reported as "Missing"

 

removed the client again via the same method. Deleted remenants manually. Reinstalled and same issue.

I haven't heard from sophos support in 2 days ( which is in its own right horrible). 

Anyone here have a clue how to fix this?

  • Same issue with one of our machines here. Spend almost 3 hours now trying to uninstall and reinstall. What a mess...

  • In reply to Jelle:

    A second machine is having this problem now...

    Happened during a manual installation of Endpoint Security and Intercept X.

    During installation of Sophos System Protection Service installer claims that the user does not have enough priviliges although setup is done with administrator account and all previous modules and services have been installed.

  • In reply to Jelle:

    Sophos support was not much help. Instead I used the old sophosinstall.exe to find the original installer guid. I then searched the registry for it and removed a couple of references to the Sophos Antivirus service. I then was able to reinstall using sophossetup.exe and the autoupdate error was no longer present.

    I am not sure if this holds true for every cloud tenant but the GUID I found was:

    2519A41E-5D7C-429B-B2DB-1E943927CB3D

    I added that to the sophos batch file mentioned above as well and our support department now uses this file to remove Sophos and perform remediation installs.

    FYI this seemed to happen because the user interrupted the upgrade process for the new client that Sophos has been rolling out. If the user doesn't know any better and lets say shuts down their machine the removal process is interrupted and everything gets messed up. We have many machines where this has happened and we are still in the process of fixing them.

    Sophos needs to do a better job here. The client is not very robust and the user needs to be prevented from messing up client upgrades with a good notification system. Additionally the resources available to assist with remediation is woefully lacking here. 

     

     

  • In reply to Robert Czymoch:

    Seems to be the same GUID. Maybe you can post the modified batch file or the occurences in the registry for comparing? Thanks.

  • In reply to Jelle:

    I don't seem to be able to add an attachment. A copy and paste is below. This is based on the SOPHOS KB mentioned earlier with a fix for sophos clean ( x64 machines) and the guid added to the Sophos Antivirus section. We run this batch file to remove sophos during remediation re-installs. Which we seem to be doing a lot of. Once we run this batch file we also remove the following items manually.

    Delete any of the remaining sophos Registry keys
    "HKEY_CURRENT_USER\Software\Sophos"
    "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos"
    "HKEY_LOCAL_MACHINE\SOFTWARE\Sophos"

    Delete any of the remaining Files
    "C:\Program Files (x86)\Sophos\"
    "C:\Program Files\Sophos\"
    "C:\Program Files (x86)\Common Files\Sophos\"

    Batch File for removal

    net stop "Sophos Anti-Virus"
    net stop "Sophos AutoUpdate Service"
    "C:\program files\Sophos\Sophos Endpoint Agent\uninstallcli.exe"
    :Sophos AutoUpdate
    MsiExec.exe /qn /X{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{BCF53039-A7FC-4C79-A3E3-437AE28FD918} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{9D1B8594-5DD2-4CDC-A5BD-98E7E9D75520} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{E82DD0A8-0E5C-4D72-8DDE-41BB0FC06B3E} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Endpoint)
    MsiExec.exe /qn /X{8123193C-9000-4EEB-B28A-E74E779759FA} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{36333618-1CE1-4EF2-8FFD-7F17394891CE} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{DFDA2077-95D0-4C5F-ACE7-41DA16639255} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{CA3CE456-B2D9-4812-8C69-17D6980432EF} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{3B998572-90A5-4D61-9022-00B288DD755D} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{2519A41E-5D7C-429B-B2DB-1E943927CB3D} REBOOT=ReallySuppress
    :Sophos Anti-Virus (Server)
    MsiExec.exe /qn /X{72E30858-FC95-4C87-A697-670081EBF065} REBOOT=ReallySuppress
    :Sophos System Protection
    MsiExec.exe /qn /X{934BEF80-B9D1-4A86-8B42-D8A6716A8D27} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} REBOOT=ReallySuppress
    :Sophos Network Threat Protection
    MsiExec.exe /qn /X{66967E5F-43E8-4402-87A4-04685EE5C2CB} REBOOT=ReallySuppress
    :Sophos Health
    MsiExec.exe /qn /X{A5CCEEF1-B6A7-4EB4-A826-267996A62A9E} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D5BC54B8-1DA1-44F4-AE6F-86E05CDB0B44} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{E44AF5E6-7D11-4BDF-BEA8-AA7AE5FE6745} REBOOT=ReallySuppress
    :SDU (1.x)
    MsiExec.exe /qn /X{4627F5A1-E85A-4394-9DB3-875DF83AF6C2} REBOOT=ReallySuppress
    :Heartbeat
    MsiExec.exe /qn /X{DFFA9361-3625-4219-82C2-9EF011E433B1} REBOOT=ReallySuppress
    :Sophos Management Communications System
    MsiExec.exe /qn /X{A1DC5EF8-DD20-45E8-ABBD-F529A24D477B} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{1FFD3F20-5D24-4C9A-B9F6-A207A53CF179} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{D875F30C-B469-4998-9A08-FE145DD5DC1A} REBOOT=ReallySuppress
    MsiExec.exe /qn /X{2C14E1A2-C4EB-466E-8374-81286D723D3A} REBOOT=ReallySuppress
    :UI
    MsiExec.exe /qn /X{D29542AE-287C-42E4-AB28-3858E13C1A3E} REBOOT=ReallySuppress
    :SophosClean
    "C:\Program Files (x86)\Sophos\Clean\uninstall.exe"
    :SED
    "C:\Program Files\Sophos\Endpoint Defense\uninstall.exe" /quiet
    :HMPA (managed) 3.5.3.563
    "C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe" /uninstall /quiet
    :HMPA 1.0.0.699
    "C:\Program Files (x86)\HitmanPro.Alert\uninstall.exe" /uninstall /quiet
    :HMPA 3.7.14.265
    "C:\Program Files\HitmanPro\HitmanPro.exe" /uninstall /quiet

     

  • In reply to Robert Czymoch:

    Thanks a lot!!! Worked for me.

  • In reply to Robert Czymoch:

    Only worked for one pc. The other one still failed. Deleted other entries from Registry and folders related to Sophos but that didn't help. Auto Update and Endpoint Defense were missing.

    I was able to install Auto Update from /cache/decoded/sau folder which then was active. So only Endpoint Defense was missing.

    Now I manually started the update process as Auto Update was functional but the update failed. Instead the Diagnostic Tool told me a reboot was needed.

    After reboot updating still failed but under events it showed me that SDU wasn't properly installed. So I reinstalled from cache/decoded/sdu folder. After that the update worked and now the pc seems to be ok. Also Sophos Central shows that everything is ok.

    So, mission accomplished. But to be honest... What a mess!

  • In reply to Jelle:

    Hi All

    I too am in the process of dealing with this mess.

    the problems we are experiencing are almost identical to yours so this must be a greater issue than support are admitting!

    I have raised a support ticket last week #7907525 which has been escalated to the next level of Support but still no further contact.

     

    i can remember at the release conference of Sophos central Kris Hagerman saying we wouldn't see these kind of update screw-ups any more yet here we are!

     

    Just re imaging a machine and will try your workaround above...

  • In reply to lennie martin:

    have finally got it to install!

     

    Removed all previous versions from our image, run the bat file posted above, then rebooted before install.

     

    Will hold off on the roll out to the rest of the company until Sophos have fixed this.

     

    Shame it takes the community to find a working solution tho

     

    big thanks to you guys for this.